Are OSS attacks avoidable?

Why open-source attacks evade detection — and how to stop them

Open source software attacks are preventable — but not prevented

Risks from the software supply chain show no signs of dying down. In 2023, the rate of these attacks doubled the combined total of attacks observed from 2019 to 2022.

Protecting the supply chain is notoriously tricky, but why specifically? According to Sonatype’s Annual State of the Software Supply Chain Report, 96% of attacks hinged on an open-source software (OSS) vulnerability that already had an available patch, while just 4% of attacks were deemed “unavoidable.” Considering the many consequences of OSS compromise — e.g. credential harvesting and financial data loss — why are so many of these “avoidable” attacks still getting through?

Often, the true problem is one of visibility — having a system for properly protecting OSS packages, and for understanding which ones are vulnerable in the first place. And as these attacks continue to skyrocket, this broader problem becomes more important than ever. Keep reading to discover:

  • What makes OSS packages susceptible to exploitation

  • Why organizations frequently overlook compromised software — and put themselves at risk

  • 4 best practices to avoid common OSS vulnerabilities and reduce the likelihood of attacks

What makes OSS attacks hard to stop?

Staying ahead of OSS attacks can be a daunting challenge for organizations. By one estimation, 1 of every 8 open-source component downloads in 2023 contained a known security risk — on top of the 200+ million malicious packages that were detected in the same year.

Here are several reasons why these attacks remain so prevalent (and difficult to avoid):

OSS attacks are designed to evade detection

As they continue to evolve, OSS attacks frequently slip past common security measures. For example, one OSS attack used both preinstall scripts and employee impersonation tactics to target a bank and install malicious software on the targets’ systems. Then, the attacker delivered a second-stage payload using a legitimate subdomain, one that incorporated the name of the targeted bank and was thus more likely to avoid getting flagged by security systems.

Not only are attackers using sophisticated methods to remain undetected, but they have also shifted their focus from isolated systems and applications to weak spots in DevOps tools, platforms, open-source repositories, and software components One example is targeting open-source scripts that run client-side since most OSS security tools focus on server-side code. In one instance of this tactic, security researchers discovered that third-party JavaScript trackers embedded on websites using Login With Facebook could be used to harvest Facebook login data.

Outdated or unmaintained software takes longer to patch

OSS attacks can be carried out via multiple methods, from tricking victims into downloading malicious packages to compromising software updates. And given how long these attacks remain undetected — sometimes spanning weeks or months — patching vulnerabilities as soon as possible is of the utmost importance.

However, when organizations use outdated or unmaintained software, carrying out critical upgrades becomes a laborious and time-consuming process, which can increase the risk of compromise and attack.

How avoidable is this problem? Per Sonatype’s 2023 report, there are approximately “10 superior versions [of software components] available” for every risky upgrade organizations make.

Software updates can compromise previously benign packages

In even more insidious cases, automated software updates are compromised by attackers, so that unsuspecting users inadvertently trigger malicious actions. In one attack, an estimated three million users were targeted by malicious updates to Python and PHP packages, which attempted to harvest AWS credentials.

Other malicious updates may take months or even years to execute, lulling users into a false sense of security once they have already vetted and trusted certain software packages — like the dormant npm package that attempted to exfiltrate Ethereum private keys after eight months of relative disuse.

4 strategies to protect against OSS attacks

Given the prevalence and multi-pronged nature of OSS attacks, it is almost impossible for organizations to patch every program, track every software component, and catalog every potential vulnerability in their environment. However, there are still several measures that organizations can take to mitigate the biggest threats, including:

1. Use "actively maintained" open-source software.

More often than not, poor vetting practices open the door to OSS risks and attacks. When evaluating open-source software and projects, organizations should take steps to ensure that they are not only implementing the most current software version but taking time to evaluate whether that software is being actively reviewed for vulnerabilities and updated accordingly.

2. Identify and apply patches for known vulnerabilities.

In 2023, over two billion OSS downloads had known vulnerabilities — and available fixes for them. While not every vulnerability may be exploited by attackers, organizations should take steps to improve their security posture by evaluating the OSS packages within their environment and applying patches whenever possible.

3. Identify the biggest risk areas and prioritize critical upgrades within software supply chains.

Patching every single vulnerability may be an unrealistic goal for most organizations, but prioritizing the most critical risks and upgrades can help mitigate attacks likely to do the most damage.

4. Improve your overall security posture with Zero Trust best practices to mitigate risks and damage.

A comprehensive security framework — like Zero Trust — can help reduce an organization’s attack surface and mitigate risks of unpatched OSS vulnerabilities. In a Zero Trust architecture, no entity is inherently trusted by default and every request to every resource is verified based on identity and other contextual signals. This means that even if an attacker compromises a device or piece of infrastructure, it is very difficult for the attacker to move laterally or escalate privileges within an IT environment. Moreover, by extending the ‘no trust by default’ approach to web activity, organizations can isolate Internet browsing and insulate devices from potentially risky online code.

How Cloudflare helps block OSS attacks

Protecting against modern OSS attacks requires organizations to examine and secure every stage of the software development lifecycle, as well as develop a thorough understanding of the software they adopt: first, to identify critical patches for previously identified vulnerabilities, then to prioritize the biggest risks and upgrades accordingly.

Cloudflare is designed to help organizations stay ahead of modern and emerging threats, including software supply chain attacks, and regain control and visibility everywhere – throughout IT environments, across the attack lifecycle, and around the world. Specifically, organizations can adopt Cloudflare’s unified, intelligent platform to strengthen security in critical areas like:

  • Discovering open source third-party client-side scripts used by web apps

  • Protecting web apps from vulnerability exploits in open source software and from malicious, open source, client-side scripts

  • Improving threat visibility and control across the entire digital portfolio

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper into this topic.

Get the Strengthen security everywhere you do business Ebook to learn how Cloudflare helps organizations protect their data against software vulnerabilities and exploits.

Key takeaways

After reading this article you will be able to understand:

  • 2023 saw twice as many supply chain attacks than the 4 years prior combined

  • Why organizations miss critical OSS vulnerabilities

  • 4 tips to minimize OSS risks

Receive a monthly recap of the most popular Internet insights!